With easing of stress tests, bank risk teams have to step up
Following the passage of the new regulatory relief law last month, several provisions of the Dodd-Frank Act will be significantly scaled back, including changes to how regulatory stress tests are run.
The move could free up banks to better tailor their risk management strategies, but the changes ahead must be monitored closely.
Most notably, the new law eliminates mandated annual stress tests, known as the Dodd-Frank Act Stress Test requirement, or DFAST, for banks with assets of less than $250 billion, although banks with $100 billion to $250 billion will still be tested periodically. Financial institutions with assets of $10 billion to $250 billion are also no longer required to perform company-run stress tests.
Those who argued in favor of keeping DFAST intact felt that large regional and midsize banks needed the discipline of a regulatory stress test to understand their vulnerabilities in a stressed environment. The opposition, in favor of deregulation, said that DFAST was a factor constraining lending, and therefore limiting the recovery for individuals and small businesses. But that point is questionable given the consistent loan growth and financial performance of many regional and midsize banks. In addition, regardless of any regulatory requirement, banks should be doing their own stress testing as part of their risk management program. Any threats of constraining economic growth have seemed to pale in comparison with the potential value stress testing provides to help avert another devastating financial crisis.
Now that the president has signed this bill, we are left with a major question to ponder: How will this change impact the future health of our financial system? And more specifically, how will it impact the ability of regulators to supervise the safety and soundness of the impacted banks?
Between rapid changes in technology and demographics, and geopolitical concerns, the level of risk in the world is still high. Nonetheless, Congress has clearly decided it is comfortable shifting responsibility away from standardized regulations and back onto the banks to manage their own risk. This means that all taxpayers should become more interested in the risk management practices at financial institutions, as well as how the banking regulators monitor their risk. As history has taught us, if banks mismanage their risk, the country loses.
I believe that the case for a regulator-mandated stress test is sound. Yet as financial institutions become larger and more complex, it becomes exponentially more difficult to understand the inherent risks they hold and how they will weather another economic storm. Each bank faces idiosyncratic risks that cannot be adequately captured in a one-size-fits-all approach. The Federal Reserve identified and understood this problem with the largest banks many years ago, and in response shifted their supervisory focus away from the standardized “severely adverse scenario” to primarily assessing each bank’s unique “bank holding company stress scenario.”
This shift can be easily identified because no banks have “failed” the quantitative portion of the Fed’s Comprehensive Capital Analysis and Review, or CCAR stress test, in recent years. This indicates that the value of all firms running a single stress scenario is yielding diminishing returns. The standardized nature of DFAST has limited value in isolation due to higher capital levels at banks, the predictability of the scenario and the inability for a single scenario to capture all material risks. For this reason, ending the DFAST requirement may be a smart move, but only if regulators continue to expect banks to maintain robust capital planning processes, including their own version of stress scenario analysis.
Abandoning stress testing exercises altogether would not be a good idea. Despite the shortcomings of DFAST as a risk management tool, the initial discipline it instilled in financial institutions was very successful. The requirement forced banks to improve their data collection processes, enhance their understanding of their risks and translate those risks into meaningful information their leaders could use to manage their business. Eliminating the specific regulatory burden of DFAST should give institutions the opportunity to better tailor their stress testing processes to their business — it should not be an excuse to abandon the process altogether.
Banks have developed a certain amount of expertise over the years from creating enterprise stress testing approaches. Because of this, and the advances in technology available to banks, it is now much cheaper and easier to run many possible scenarios and analyze their potential impact on capital and liquidity. If this regulatory change enables banks to consider more scenarios that are aligned with their underlying risks, then the change will have a net positive effect for all.
But that’s not the whole story. For all the potential these changes may provide, there is an even greater risk. Without the impetus of the Dodd-Frank Act, banks would not have had the incentive to invest the capital needed to develop credible enterprise stress testing processes. With this new law, we are left hoping that banks — as well as their regulators — will demand that risk management remain the foundation upon which to manage their businesses.
Impacted banks must continue to invest in risk management infrastructure and ensure that their business decisions account for risk. Fostering a strong risk culture across organizations will be crucial, but difficult. Historically, banking regulators have had to use all the tools at their disposal to motivate banks to remain safe and sound — and a major tool has now been removed from them. Industry observers must continue to be proactive in monitoring how banks and regulators manage this change.